I’m going to implement CAS for two central locations and branches connected via WAN. It will be L3 OOB deployment, one redundant CAS pair will be located in first central location and one redundant CAS pair will be located in second central location.
Is it possible to configure two NAC servers (I mean two redundant pairs) in NAC agent for users located on branches? E.g. by preparing appropriate XML configuration file for NAC agent (how exactly two IP address has to be written in this file? ).
If first redundant pair of CAS will not be available for NAC agent, how second redundant CAS pair will be chosen by agent (automatically or manually by user)?
I don't think that's the way it will work. The NAC agent doesn't know of your CASs. It only sends out traffic to a host that you define as a discovery host every five seconds and whichever CAS is in the way of that traffic will intercept and process it. The purpose of the discovery host is to generate traffic towards your trusted network, so it could get intercepted by the CAS.
If you want a separate pair to handle your traffic when the first pair goes down, you will have to arcitecht your network in a way that the traffic from the subnets that have the broken CAS flow through the other CAS's network. How? I don't know, and depends a lot on how your network is layed out!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :